ssh ssh custom port firewall help info firewall-cmd iptables

Issues related to configuring your network
Post Reply
sirmonkey
Posts: 11
Joined: 2014/07/19 03:09:34

ssh ssh custom port firewall help info firewall-cmd iptables

Post by sirmonkey » 2014/07/19 03:27:33

so, windows8 wasn't bad enough eh? or is throwing people under the bus the new norm? why no one make simple scripts to help the transition ?!?!

for those googling to figure out there are new network config tools and little to no documentation on them, here is some help.

Code: Select all

ip addr
# ip addr replaces ifconfig... and yes its output makes my eyes hurt too.
(I know, please don't jump off a bridge. and don't ask my why someone wasn't kind enough to make a script that says, sorry ifconfig is no longer used, use this instead thank you)

Code: Select all

systenctl stop firewalld
# systemctl stop firewalld ***UPDATE*** This apparently isn't enough. don't know what else is needed tho :-/
*** UPDATE 2 *** this dose work. just there is another issue with sshd ... to test this run

Code: Select all

iptables -L -v
turns out this new firewalld is simlar to shorewall from 5~8 years ago (so long i can't remember).

turns off the crazy new firewall. I know I can her admins screaming, but hey most installs I do are behind firewalls and don't need any of there own. why bother with the over head? and why in the good lords name is there a network manager in centos ?? this isn't Mac. we are building servers that NEVER EVER NEVER EVER EVER EVER change networks ever.

now if your a paranoid American and what to keep your firewall (not a bad idea, to keep it really) and poke a whole for a custom sshd port
I *think* this works
# firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport <CUSTOM SSHD PORT NUMBER> -j ACCEPT
but I don't dare test it for I'll loose connection to my servers. maybe someone will post what todo? (and maybe the centOS how to's will get updated?)
***UPDATE 2***
to add a custom sshd port (and keep firewall up):

Code: Select all

yum install mc
you can bless me later for informing you about midnight commander

get to /usr/lib/firewalld/services
then hit tab to switch window panes and the other window pane to /etc/firewalld/services
tab back to the /usr/lib one and highlight that ssh file hit "f5" then ok
now on the /etc pane highlight that ssh file and hit "f4"
add yo custom port and save (watch i don't even have to say what do to, mc is that self explanatory, be jelious vi and emacs)
now :

Code: Select all

systemctr restart firewalld
IMPORTANT
UPDATE 3 !!! (i've been doing learnings!)
so turns out if you don't have semange, you can still have selinux ( security softwares)
goto (crap all my cent os boxes are off) well i think /etc/selinux
and edit the conf file to "disableed"

7-22-14, I've been learned, below is WRONG and left here for historical purposes
as of 7-20-2014, sshd in centos 7 doesn't seen to work with custom ports. so to get it to start
pkill sshd
now start it manually
/sbin/sshd
working :-) (but don't do it, instead disable selinux, maybe i'll figure out how to make them all friends)



as for those who have life-time-energy to burn here are some sites I found with info
https://fedoraproject.org/wiki/Firewall ... _FirewallD

https://access.redhat.com/documentation ... walls.html

http://manned.org/firewall-cmd/f7a55310

good luck
Last edited by sirmonkey on 2014/07/23 01:07:00, edited 3 times in total.

sirmonkey
Posts: 11
Joined: 2014/07/19 03:09:34

Re: ssh ssh custom port firewall help info firewall-cmd ipta

Post by sirmonkey » 2014/07/20 15:38:42

so a heads up, that command to stop the firewall....

yea its still blocking ports :-/

sirmonkey
Posts: 11
Joined: 2014/07/19 03:09:34

Re: ssh ssh custom port firewall help info firewall-cmd ipta

Post by sirmonkey » 2014/07/21 01:51:27

another update. sshd dosen't seem to want to run on custom ports...
once you edit you sshd_config file

Code: Select all

pkill sshd
then

Code: Select all

/sbin/sshd

drk
Posts: 405
Joined: 2014/01/30 20:38:28

Re: ssh ssh custom port firewall help info firewall-cmd ipta

Post by drk » 2014/07/21 05:40:19

Did you tell selinux about your new port?

sirmonkey
Posts: 11
Joined: 2014/07/19 03:09:34

Re: ssh ssh custom port firewall help info firewall-cmd ipta

Post by sirmonkey » 2014/07/22 01:02:49

i don't see a semanage command

Code: Select all

[root@boxA8 ~]# se
secon                selinuxenabled       service              setenforce           setmetamode          setup-nsssysinit.sh
sed                  selinuxexeccon       sestatus             setfacl              setpriv              setvtrgb
sefcontext_compile   semodule             set                  setfiles             setsebool            sexp-conv
select               sendmail             setarch              setfont              setsid
selinuxconlist       sendmail.postfix     setcap               setkeycodes          setterm
selinuxdefcon        seq                  setcifsacl           setleds              setup-nsssysinit
am i supposed to use something else? I'm a debian guy,(and mandrake years before that) never had to deal with selinux before.

thanks for the help

drk
Posts: 405
Joined: 2014/01/30 20:38:28

Re: ssh ssh custom port firewall help info firewall-cmd ipta

Post by drk » 2014/07/22 04:44:30

sirmonkey wrote:i don't see a semanage command

Code: Select all

$ type semanage
semanage is /usr/sbin/semanage
 $ rpm -qf /usr/sbin/semanage
policycoreutils-python-2.0.83-19.39.el6.x86_64

SaBuJo
Posts: 4
Joined: 2014/03/04 15:12:06

Re: ssh ssh custom port firewall help info firewall-cmd ipta

Post by SaBuJo » 2014/07/22 20:06:24

I have the same problem, and solved by change a file /usr/lib/firewalld/services/ssh.xml

Chenge port in this file and put the same on sshd_config, restart sshd and afeter firewalld.

Works for me!!

sirmonkey
Posts: 11
Joined: 2014/07/19 03:09:34

Re: ssh ssh custom port firewall help info firewall-cmd ipta

Post by sirmonkey » 2014/07/23 01:02:24

Thanks @SaBuJo!

And @drk ... see this is what happends when you assume.... i was just skipping along following some howto only to see check selinux with this nifty semange command didn't see the command, ASSUMED selinux wasn't installed, and went about my way.... this you had to go and type words
THANK YOU DRK because i entered /etc saw this mystrious selinux folder, and behold a config file! noooo.
how things work great. thanks you :-)

SaBuJo
Posts: 4
Joined: 2014/03/04 15:12:06

Re: ssh ssh custom port firewall help info firewall-cmd ipta

Post by SaBuJo » 2014/07/23 02:27:43

For solution of selinux you can use to options:

Disable selinux change file:

nano /etc/sysconfig/selinux

Change line SELINUX=enforcing or permissive to SELINUX=disabled

or

execute changes on selinux with command:

semanage port -a -t ssh_port_t -p tcp "SSH_PORT"

change "SSH_PORT" to ssh port used in sshd_config.

Best regards.

Post Reply